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[Title] 

Melhod for linking of davices 

S [Technical field of the invention] 

The present Invention relates to a method for linMng of a first characteristic of a 
first device to a second characteristic of a second device. The invention also 
concerns a sen/er and a computer program loadable into a processing unit of a 
10 server. 

[Background of the invention]^ 

Unking of devices is defined by the. achieving of aji association of one or more 
15 characteristics of a first device with one or more characteristics of one or more 
further devices. A characteristic allows typically to identify a device, howevert in 
a more general sense a characteristic can relate to any kind of information 
associated wdth a device. For Iintdng of a first device to a second device, one or 
more characteristics of the first device are associated to one or more 
20 characteristics of the second device. One or more of the associated 

characteristics can be determined from the respective devices or from further 
entities knowing the respective characteristics. In general, linking of devices 
provides extended information due to the iinl^age, e.g. by revealing that two 
devices are linked at some point in time. A table may be used for the 
25 association of characteristics and characteristics may be different for different 
Implementations of the linlQng method. 

Linking of devices is increasingly used for authentication purposes. When trying 
to access an institution like a system or service or device via a non-trusted 
30 device like a computer temiinal or an automatic teller machine (ATM) or a door» 
an institution for that access is requested to initially does not have knowledge 
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on ttie operator of the non-trusted device. For a lot of situations Dke 
downloading publicly available infbmnation from the Internet or entering a public 
building this lack of knowledge Is not problemaSc to the institution, i.e. access to 
the Institution is provided via the non-trusfed device to any person that is able to 
5 operate the non-tnjsted de\nce. However, for accessing an institution where 
access restrictions apply, knowledge regarding the legitimization lor access is 
necessary. This knowledge can be e.g. provided by an siuthentication procedure 
like veri^ng a user identity and a password entered into the non'-personal 
device. Altemafively, linking to a trusted device can be used for authentication 
10 for granting access. 

A trusted dexdce is a device ttiat is associated with an access legitimization as 
the maun characteristic of a trusted device. An access legitintization legitimates 
the trusted device to access a particular institution. When presenting the trusted 

1 S device to the particular institution, the access legitimization achieves that 

access to the partic^ilar institution is granted to the trusted device. The particular 
institution or an entity supporting the particular institution can have certain 
criteria to verify the access legitimization for granting access. Bsunples for a 
trusted device are a mobile phone being legitimated for accessing a mobile 

20 telephone network or a credit card being legitimated for accessing a payment 
service. Depending on the trusted device and the processing of the verification 
of the access legitimization, an identity of the legitimate owner of the trusted 
device can be obtained or It can be proven that that a person operating a 
trusted device Is identical to or is authorized by the legitimate owner. The 

25 respective information may be associated with the access iegitinUzation of the 
trusted device. 

Thus, when requesting access to an institution via a non-trusted device^ a 
trusted device with an associated access legitimization can be presented. The 
30 associated access legitimization can be determined and can be associated to a 
characteristic liice an identifier of the nor^trusted device requesting access to 
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the Institution. Alternatively, a characteristlp of the trusted device referring to the 
access legitiniization associated with the trusted device can be associated to 
the characteristic of the non-trusted device. The institution to that the access 
legWmfeation associated wfth the tnjsted device legitimates for access does not 
necessarily have to be identical to the institution to that the non-tnisted device 
requests access to. Agreements between different institutions can ensure that 
an access legitimization legitimating for access to a first institution legitimates 
also Ibr access to a second institution. The associated characteristics of the 
trusted and non-tmsted device can be stored In a database for further 
processing, e.g. for statistical, charging or legal purposes. Based on the 
associated characteristics of the non-trusted and trusted device, access can be 
granted to or via the non-tnisted device, because now the institution or the 
entity supporting the institution for authentication purpose is provided with 
knowledge on an access legitimization linked to a characteristic of the non- 
tmsted device like an identifier idenfiiylng the non-tiusted device. Depending on 
the tmsted device and the Implementation of the linking method, information 
about an identity of the legitimate owner of the tmsted device or a proof that an 
operator of the trusted device is identical to or is authorized by the legitimate 
owner of the tnjsted device can be obtained and associated to the respective 
characteristic of the non-trusted device. Also an kJentity of the institution that is 
to be accessed can be associated. 

More secure linking methods require in addition to the association of 
characteristics a proof that a first device and a second device tiiat ar« to be 
linked are located in dose proximity. The proof of the dose pro^dmity is seen as 
sufficient evidence that the operator of flie first device is identical to or at least 
authorized by the operator of the second device. 

DifferBnt solutions exist for proving tiie dose proximity tfiat are described in the 
30 following: 



20 



25 
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According to a first solution, a local connection between a first device and a 
second device thai are to be linked can be used to send llnWng data from a 
server, e.g. a payment or authentication senrer, via the first device and the 
second device and than back to the server or vice versa. A successful round-trip 
5 of the linking data is sufficient proof for the existing local connection and thus for 
the dose proximity. Local physical conneclions like cables, docking stations, 
card readers or local wireless connections wHh transrrilsslon ranges of about — 
less lhanl 0 meters as provided by Infrared (IR) or Bluetooth can be used. 

1 0 According to a second solution, a person manually transfers linking data from a 
first device to a second device for proving the close proximity. For example, an 
• authentication sen^r supporting an Institution that is to be accessed by a non- 
trusted device sends a randomly generated one-time password (OTP) as linking 
data to the twsted device. The person that operates the trusted device and the 

15 non-tmsted device reads the linking data and manually types the linking data 
into the nor*-tnisted device. As in the first solution, the round-trip of the linking 
data Is seen as proof for the dose proxinity . 

US-e.259,909 describes a round-trip of a code word used in a method for 
20 secure access by a user to a remote system. After an authentication of a first 
communicaBons device by an access device, a code word Is transmitted from 
the access device to a second communications device. Said code word 
received by the second communications device is further transmitted from the 
second communications device via the first communications device to said 
25 access device which can grant to the first and/or second communications 
device access to the i«motB system after a check for correctness of the code 
word received from the first communications device. A data processing unit can 
be used as firal communications device and a mobile phone may be used as 
second communlcafions device. 



30 
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The aforementioned solutions for proving ttie dose proximity have 
disadvantages. A local connection requires compatible interlaces at the devices 
that are to be linked for transfemng the data from one device to ttie crther 
device. However, compatibility of Interfaces is very often not given thus limiting 
5 tfie appllcabHity of solutions based on local connections to a small fragment of a 
potential market. This Is especially tnie for tocal wireless connections, because 
appropriate local wirele^ interfoces like IR or Bluetooth transceivers are rather 
seldom on devices like personal computers (PCs), workstations, ATMs or older 
mobile phones. Using local physical connections requires to physically conned 
1 0 devices that are to be linked. However, physically connecting devices is an 

Inconvenient and often even annoying task. Similarly. Ilne-of-sight local wireless 
connection techniques like IR require appropriate aligning transceivers of 
devices that are to be linked. Furthermore, replacing a device by an appropriate 
further device requires to first remove the local connection from the device that 
is to be replaced and to attach ttie removed local connection to the appropriate 
further device thus increasing tiie Inconvenience for the operator. 



15 



Solutions based on manually transferred linking data requires the person that 
operates the first and the second device to be active In a sense tiiat the person 

20 has to read the finking data tfiat is to be transferred manually from the first 
device and to type it Into the second device. In order to prevent to guess the 
linking data, the linking data should not be too short. Houifever. reading of a 
longer sequence from the first device and typing of tiie fonger sequence into a 
second device is not convenient and ttie probability for mistyping increases with 

25 ttie length of the sequence. It is annoying when the Unking is rejected because 
of any reading or typing errors. 

[Summary of the Invention] 
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It is an object of the present invention to provide a method, a device, and a 
computer program, which enable a convenient llnWng of a first characteristic of 
a first device and a second characteristic of a second device. 

5 This object is achieved by the method as described In daim 1 . Furthermore, the 
Invention Is embodied in a senrer as described In claim 9 and a computer 
program loadable into a processing unH of a sender is described In Claim 16. 
Advantageous embodiments are described in the further claims. 

10 For the linking of a first characteristic of a first device and a second 

characteristic of a second device by a server the following steps are executed. 

In a first step, a first Hnldng information and a second linking infomnation are 
selected v«ith the requirement that the first linking infomiation and the second 
15 UnWng infomiation match. To this end. the first linking information does not 
necessarily have to be Identical to the second linking Infonnation. 

Nejcl, the flist linking infonnation Is sent from the server to the first device and 
the second linking infonnation is sent from the sen/er to the second device. 



20 



Furthermore, the first linking Infonnation is presented by the first device and the 
second linking infbmiatlon Is presertted by the second device. Presenting is to 
be understood as an output to a person. The output by the first device can be 
dlflbrent from the output by the second device, however, the matching of the 
25 fiist Hnldng Infonnation and the second Unking Infonnation must be 

[Bcognizable. Examples for non-identical matching linking infonnation may be a 
first linking Information being complementary or successlonal to a second 
linking information. 

30 After recognizing that the first linking infeimatfon that is presented by ttie first 
device and the second BnWng InfbnnaBon that is presented by tiie second 

_ 2002-Oct-1 1 
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device match, an indication of the matching is entered into the first device. For 
example, the operator of the first device can press a button on ttie first device or 
an appropriate voice-command can be used for ent^ng the incBcation of the 
matching. 

5 

Based on the entered indication of the matching, the first device sends to the 
server a matching confirmation. The matching confirmation confinms to the 
server the notching of the first linking information presented by the first device 
and ttie second linking information presented by the second device* 

10 

Based on the received matching confirmation, the first characteristic and the 
second characteristic are assodated e.g. liy correlating the first characteristic 
and the second characterisfic in a table. 

1 5 The proposed method enables a convenient linking of a first characteristic 6f 
first device and a second characteristic of a second device. Comparing of a first 
linking informafion presented by a first device and a second linking information 
presents by a second device and confirming the matching at one of the two 
devices according to the present invention requires much less action by a 

SO person compared to linking methods based on manually transferred linking 
data, because no lengthy sequences have to be read from a first device and 
manually typed into a second device. In addition, the possibility of mistyping can 
be completely avoided as no linking infonmation has to be typed in nnaking the 
proposed method much more convenient for a person. Furthermore, the method 

25 according to the invention does not require a local connecfion between the first 
device and the second de\^ce tiius rendering compatible interfaces and 
attaching or remoxring of local connections unnecessary while at the same time 
increasing tiie applicability. Presenting of matching linking infonmation by the 
first device and by the second device Is furtfiermore advantageous, because it 

30 frees the operator of a first device from being aware of an address of a second 
device that Is to be linked to said first device as it Is the case for linking methods 
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that require to enter or confirm an address of said second device at the first 
device for confirming the linking. However, very often an address of a device is 
not available, e.g. the address is not displayed or cannot be read out or may 
change temporarily. Especially for a non-tmsted device applies that an address 
5 is often not available for the operator, thus making the proposed method very 
suited for llnldng non-trusted devices, e.g. for linking an IP-address and port of a 
first computer terminal as first non-trusted device to an IP address and port of a 
second computer terminal as second non-trusted device for establishing a 
computer network compri^ng the two computer temtinals. 

10 

According to a preferred embodiment, the first device Is a trusted device and 
the first characterisfic relates to an access legitimization that legitimates to 
access a first Institution. Relating means that.ttie first characteristic comprises 
the access legitimization and/or an identifier from that tiie access legitimization 
1 5 can be obtained. An example for an idenfifier from that an access legitimization 
legitimating for accessing a mobile telephone network caa\ be obtained is a 
Mobile Station Integrated Sen/ices Digital Network Number (MSISDN) of a 
mobile phone. The a^oclated characteristics can be further processed. e.g. for 
statistical, diaiging. or legal purpose. 

20 

According to another preferred embodiment, the second characteristic of tiie 
second device conr^rises an identifier identif^g the second de\^. Access to 
a second institution is granted to or via the second de>rice based on the 
associating of the first, characlerfstic relating to ihe access tegltirrdzation and the 

25 second characterfstic comprising the identifier. The second institution can be 
identical to or different from the first institution. Agreements can ensure that an 
access legitimization for accessing the first institution legitimates also for access 
to the second institution. Thus, the associating of the t^ara^ristic lelating to 
the access legitindzation and the second characteristic comprising the Identifier 

30 for Identifying the second device can provide the information that ttie second 
de^riTO Is legitimated for accessing the second institution. Based on that 
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information, access to the second Institmicn can be granted. An access 
assertion may be sent from the server to the second device, to the second 
institution or a further entity supporting the second device or the second 
institution for granting access. The access assertion may comprise an access 
legitimization that legitimates for accessing the second institution which can be 
e.g. derived from tlie access legitimization ttiat legitimates for accessing the first 
institution. Access to the second Institution can be e.g. achieved by unlocKjng 
the second de^dce for appropriate usage. 

According to another preferred embodiment, a request for authentication 
triggers the linldng. A request for authentication is common for conventional 
authentication methods ttius decreasing the implementation effort when using 
the proposed lintdng method for authentication purpose. Especially if an 
autiienticafion Is required for accessing the second institution, the second 
institution may just send the request for authentication and wait for an access 
assertion before granting access to the second device as it is the case for 
conventional authentication methods. Accordingly, the second instrtufion does 
not necessarily have to be adapted to the particularities of the proposed method 
thus increasing the applicabiiity of the proposed method. 

According to another preferred embodiment, tiie first llnldng information and the 
second linking information comprise one or more randomly generated symbols. 
Flandomly generated symbols are beneficial due to security reason, because 
the probability is reduced that identical or similar linldng information Is presented 
in a first linking and in a second linking. Espedaiiy, if multiple non-trusted 
devices are located In close proximity, a person fliat has to confirm a matching 
of linking information may get easily confused if the same or very similar linking 
information is presented on the multiple non-trusted devices in his environment 
Furthermore, randomly generate syrnbols are also advantageous, because tfie 
linMng information can be processed in the way of a one*time password which 
Is beneficial if the method according to the present invention is to be coirtbined 
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With a conventional linking method using one-time passwords. Examples for a 
symbol are a digit, a letter, an image, a photo, a picture, or an Icon. 
Advantageous for the usage of digits, letters, and/or Icons is their easy 
processing and presenting on a device having a single display like it is 

5 integrated In a conventional Global System for IMobile Communication (GSM) 
mobile phone. Another advantage of digits and/or letters is that they can be 
eeisily converted for an acousticaily presentation. The pre^gnting pf graphics 
like Images, photos, pictures, and/or Icons can be advantageous because a 
person usually recognizes more intuitiv^y and faster the matching of graphics 

1 0 compared to letters and/or digits making the method more convenient 

According to another preferred embodiment, the first linking information is 
identical to the second lining information. Comparing and conflmiing the 
matching of identical linking information is typically more convenient compared 
15 to comparing and confirming of non-identical matching linldng information. In 
addition, the usage of Identical linking Infomnation is easier to implement in the 
server. 

According to another preferred embodiment, the associating of the first 
20 characteristic and the second characteristic can be based on a verification for 
correctness of confirmation data entered into the first device. The entering of 
confirmation data can be advantageous for security reasons, e.g. for making a 
person more aware or for personal authentication. For verification of flie 
correctness of the entered confinnalion data, the entered confirmation data has 
25 to match to predefined confimration data, TTie first device or the server or both 
can execute the verification. If the .server verifies the entered confirmation data, 
the confirmation data entered into! the first device or data pnoduced in the first 
device based on the entered confirmation data is to be sent to the server, e.g. 
included or attached to the matching confirmation. The server compares the 
30 entered confirmation data or the produced data to predefined confirmation data 
and executes the associating of ttie characteristics if the entered confirmation 
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data or the produced data, respectively, matches to the predefined confirmation 
data. If the first device executes the verification, the first device has access to 
the predefined data that enables the first device to verify the errtered 
confirmation data for correctness, e.g. the predefined data can be sent from the 
5 server to the second device or ttie predefined date can be stored on the second 
device. The fii^ device compares the entered confinmatfon data with the 
predefined confirmation data and sends the matching confirmation to the server 
if the entered confirmation data matches to the predefined confirmation data. 
The method may be implemented In a way that the sending of the matching 

1 0 confirmation is an implicit indication for the verification for correctness of the 
entered confirmation data by ^e first device to the server. Based on the 
verification for correctness, the server can execute the associating of the first 
and the second characteristic. Depending on the implementation, the 
confirmation data may be entered for indicating the matclilng of tfie linking 

15 Infbrmallon thus reducing the number of steps to be executed. 

According to a preferred embodiment the confirmation data comprises at least 
one of (a) a Personal Identification Number, (b) a password, (c) an indication for 
additional infbnmation being presented in parallel to the first linking Information 

20 or second finking information, the additional information b^ng distinguishable 
from the first linking Information and the second linking Information, and (d) data 
belrig computed on the base of the first linking Infonnation and/or ttie second 
Unking Information. An entered Personal Identification Number (PIN) allows to 
personally authenticate the person that currently operates the first device and Is 

25 especially advantageous to avoid unauthorized usage e.g. by preventing a thief 
to use a stolen device for a linking according to the invention. A password can 
be used In the same manner, but It may be easier to remember than a PIN. 
Presenting of the additional information in paralM to the first linking Information 
or the second linking Information may force the operator to thoroughly study the 

30 presented information In onler to recognize the matching thus making tiie 
proposed method more secure. In addition, an indication for the additional 
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Information can be very short and easy to enter, e.g. by a dlgrt or letter 
Indicating the additional InfennaBon. An alternative solution is entering of data 
being computed on the base of the first linking Inlbnnatlon and/or the second 
linKing information that also Increases the awareness of the person and thus 
5 . makes the method more secure. Also, some persons may find the proposed 
linking method attractive just because of the computing step that requires the 
person to think for thecorrect answer. I.e. the correct confimiatlon data. 

The present invention also concerns a server in order to Implement the method 
10 as described above. 

The sender can be used for ilnWng of a first characteristic of a first device and a 
second chaiacleristic of a second device. The server comprises a receiving unit 
for receiving messages, a transmitting unit for sending messages, and a 

15 processing unit for processing messages and InfonnaBon. The processing unit 
is adapted to select a first linking Infonnation and a second linking infonnation. 
The first HnWng information matches to the second linking infomiation. The 
transmission unit is adapted to send the first linking infonnation to the first 
device and the second linking infonnation to ttie second device. The receiving 

20 unit is adapted to receive a matching confimnation from the flrst device with the 
matching confinnation conflnnlng to the processing unit the matching of the first 
linking Information presented by the first device and the second linking 
Infbnnatlon presented by the second device. The processing unit is adapted to 
execute an assodafing of the first characteristic and the second characteristic 

25 based on the rec^ved matching conflrrtation. 

According to a preferred embodiment, ttie first device is a tnisted device and 
the flrst characteristic relates to an access legftimizatlon legitimating the trusted 
device for accessing a first institution. 
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According to another pieferred embodiment, the second characteristfc 
comprises an identifier identifying the second de\^ce and, b£»ed on tiie 
assocfaSng of the first characteristic rdab'ng 1o the access iegitintization and tiie 
second characteristic comprising the identifier, the processing unit is adapted to 
5 generate an access assertion for granting to or via the second device access to 
a second institution being identical or different from the first institution, and the 
tiansnnission unit is adapted to send the access assertion to the second device 
or the second institution or to an entity supporting the second device or the 
second iretitution for granting access. 

10 

According to another preferred embodiment, the receiving unit is adapted to 
receive a request for authentication triggering the processing unit to execute the 
linla'ng. 

15 According to another prefened errtbodiment, the processing unit is adapted to 
select tile first finidng information and tiie second linidng information to comprise 
one or more randomly generated symbols. 

According to another preferred embodiment, the processing unit Is adapted to 
20 select the first linldng information b^ng identical to the second Unking 
information. 

According to euiother preferred embodiment, the processing unit is adapted to 
execute the associating of the first characteristic and the second characteristic 
25 based on a verification tor correctness of confirmation data emered into the first 
device. 

The present invention also concerns a computer program con^ri^ng portions of 
software codes in order to implement the method as described above when 
30 operated on a server. The computer programs can be stored on a computor 
readable medium. The computer-readable medium can be a permanent or 
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rewritable memory within a server or located externally. The respectiv© 
computer program can be also transferred to a server for example via a cable or 
a wireless linK as a sequence of signals. 

5 The computer program can be used for linking of a first characteristic of a first 
device and a second characteristic of a second device. The computer program 
can be loaded into a processing unit of a server and comprises code adapted to 
select a first linking information and a second linking infonnalion. The first 
Hnking information matches to the second linWng infbmiatlon. The computer 

10 program comprises code adapted to Initialize a sending of the first linking 

information to the first device and a sending of the second linking Infomiation to 
the second device and to execute an associating of the first characteristic and 
the second characteristic based on a matching confirmation received from the 
first device with the matching confinmatlon confirming to the computer program 

15 the matching of the first linking Information presented by the first device and the 
second linking infbrmalion presented by the-second device. The computer 
program can be used in all endiodlments of the method as described. 

in the following, detailed embodiments of the present invention shall be 
20 described in order to gNo the skilled person a full and complete understanding. 
However, these erhbodiments are illustrative and not intended to be limiting, as 
the scope of the invention is defined by the appended claims. 

[Brief description of the drawings] 

25 

Fig. 1 a shows a flowchart diagram of a first embodiment of the present 
invention; 

Fig. lb shows ejamples of processes and messages between devices 
30 according to tiie first embodiment of Rg. 1 a; 
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Rg, 2 



shows an operator, devices and messages between devices of a 
second embodiment of the present invention; 



5 



Fig. 3a 



shows a table comprising a first set of examples of presentations 
by a trusted and on a non-trusted device; 



Fig. 3b 



shows a table comprising a second set of examples of 
presentations by a trusted and on a non-trusted device. 



1 0 [Petailed description of the invention] 

Rgure 1 a shows a flowchart diagram of a first embodiment of the present 
Invention In which a request 60 for linking triggers the following steps of the 
method. Fig. 1b shows examples of processes and messages between devices, 
15 i.e. a first device PPI and a second device NPI that are to be linked and a 
server SI , for carrying out the method according to the flow-chart depicted in 
Fig. la. In the following, Fig. la and lb are described in parallel. Identical 
references in Fig. la and lb describe corresponding features. 

20 According to Rg. la, the first embodiment starts with a request 50 for linking. 
The request 50 for linMng may originate from an entity being external to the 
server SI or by the server SI itself. The request 50 for Unking can be sent from 
the second device NPI to the server SI tiy a request message 51 as depicted 
In Rg. 1 b. The request 50 for linking triggers the sen/er 81 to link the first device 

25 PPI and the second device NPI by assodating a first characteristic of the first 
device PPI and a second characteristic of the second device NPI . In ttie 
request message 51 , the server SI can be provided with an address of the 
second device NPI • Furthermore,; the request message 51 can comprise an 
address of the first device PPI . Subsequenfiy, the server SI selects 75 the first 

30 linking infonmation and the second llnkfng information. Furthermore, the server 
SI sends 100 the first linking information via message 101 to the first device 
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PP1 and sends 150 the second lining information via mess^e 1S1 to tli© 
second device NPI . Subsequently, the first linking Information is presented 200 
by the first device PP1 and the second llnldng information is presented 250 by 
the second device NP1 . After comparing the presented linlcing infbrmatlon and 
5 recognizing tfiat the presented information match, the person that operates the 
first device PP1 executes an entering 300 of an indication of the matching into 
the fiist device PP1 . Preferably, a request is output by the first device PPt for 
the entering 300 of the indication of ttie matching and if tighter security 
requirements apply also for entering 350 of confirmation data lilce a PIN into tiie 
IX) firet device PP1 . According to the present example, the entered confirmation 
data is verified by the first device PP1 jfor rajnectness. The entering 300,350 of 
the Indication of the matching and of the correct confirmation data triggers tiie 
sending 400 of a matching confirmation from the first device PP1 to the server 
SI via message 401 . The matching confirmation confirms the matching of tfie 
15 first linNng Information that is presented on the first device PP1 and the second 
linking information ttiat Is presented on the second device NPI and additionally 
provides the server SI with information that the operator of the first device PPl 
has been personally auttienticated by entering the con-ed PIN. Furthermore, the 
server 81 Is provided by the received matching information with a proof of the 
20 close proximity of the first device PPl and the second device NPI such ttiat the 
server SI can assume thai the person operating the second device NPI Is 
Identical to or at least b^ng authorized by the person operating tiie first device 
PP1. Based on the received matching confirmation, an assodating 450 of a first 
chara(^nstie of the first device PPl and a second characteristic of the second 
25 device NPI can be executed by tite sender SI . Which i^araderistics are to be 
associated 450 may be incBcated in tiie request 50 for llnMng. Additional 
determination steps may be executed to determine appropriate characteristics 
that are to be associated, A suitable example is to associate an address of the 
first device PPl and an address of the second device NP2, e.g. the acMresses 
SO that are known to the server SI for seruling 1 00,1 50 the linking information. 
Based on the assodating 450 of the first characteristic and the second 
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characteristic, a linking assertion can state the successful linldng of the two 
devices PP1,NP1 . The Dnking assertion may be sent 501 to the second device 
as response to the request 50 for linking. 

5 When using as flist device PP1 a trusted device, addifional verification stepe 
may be advantageous that are not shown in Hg.l, In this case, the server may 
verify the access legltimizallon of the personal device for es^uflng the linking, 
e.g. before sending the linking information to the respective devices. Especially, 
if access to an Institution is requested for or via the second device NP1 , it can 

10 be checked if appropriate agreements e)dst allowing to access the institution by 
or via the second device NP1 based on the access legittmizalion of the trusted 
device. For example. It can be chedced if an access legitimization of a mobile 
phone legitimating the mobile phone for accessing a mobile telephone system 
like a GSM or Universal Mobile Telecommunication System (UMTS) legitimates 

15 also for accessing an Internet service as example for the institution to that 

access Is requested to via a computer terminal as example for a second device. 
By associating a first characteristic relating to the access legitimation of the 
first device, e.g. a mobile phone number as first characteristic, and a second 
characteristic that allows to identify tiie second device, access for or via ttie 

20 second device to the institution can be granted. 

For using the method as described in conjunction with Rg. la for authentication 
purpose, it is advantageous to replace the request 50 for linking and the linldng 
assertion 500 by an appropriate request for authentication and ari 

25 authentication assertion, respectively, and using as first device PP1 a trusted 
device. The request for autiiantication may be sent via message 51 to the 
server SI . The steps 75-450 and corresponding processes and messages 75- 
450 can be executed as e^^lalned in conjunction with Rg. 1. Based on the 
linking, the authentication assertion can be sent for granting access. For 

30 example, the autiientication assertion may be sent via message 501 to the 
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second device effecting e.g. an unlocking of the second device NP1 for getting 
access. 

In general applies for the first and second device the following: for receiving the 
5 fiiBt linking information at the first device, the first device is equipped with a first 
receiving unit and for receiving the second linldng infonmation by the second 
device, the.second device is equipped with a second receiving unit For * * 
presenting the first linking Information by the first device, the first device is 
equipped with a first output unit and for presenting the second linking 

1 0 Information by the second device, the second device is equipped with a second 
output unit. Examples for an output unit are a display, a loudspeaker, or a 
printer, or a device that allows presenting of linking information by embossed 
synrtbols. The second device can be equipped with an input unit like a keypad or 
microphone for triggering the linlg'ng method e.g. by a request for authentication 

15 or linking. For ttie entering of the indication of the matching and the confirmation 
data if applicable, the first device is equipped with an input urtit like a keypad, 
microphone, orfoucivscreen. 

One or more of the aforementioned units for the first device and/or the second 
20 device may be removable. The fact that the first device and^or ttie second 
device do not necessarily need to have an integrated receiving unit, 
transmission unit, input unit anchor output unit nakes the proposed method 
much more flexible, e.g. as trusted device a credit card can be used inserted 
into a device similar to a card reader ha\^ng in addition an input and output wit 
25 and a receiving and transndssion urdt as e)q>lained before. Furttiermore, a 
presenting of linking information by a loudspeaker or in Braille makes the 
proposed method also ea^ly operable by blind persons. 



in the following examples for trusted devices are described that may be used in 
30 the proposed linking method: firstly, a trusted device that legitimates for access 
io an institution without revealing an identity of the legitimate owner of ttie 
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trusted dexdce: according to this first example, one or more characteristics 
associated with the trusted device tfiat are determinable by the InstibJtion when 
presenting the trusted de^ce for getting access do not allow to identify the 
legitimate owner. To this md, a trusted device according to the first example 
5 can be provided to the legitiinate owner without associating an identity of the 
legitimate owner to said one or more deterrrdnable characteristics. An example 
for such a trusted device is a ticket ttiat legitimates for accessing an Institution 
by revealing as access legitimization a name of said Institution and a serial 
number not tieing e^sociated mth an Identity of the legitimate owner. Secondly, 

10 a trusted device that legitimates for access to an institution which allows to 
obtain an identity of the legitimate owner; according to the second example, at 
least one of the characteristics of the trusted device determinable the institution 
Is associated with an identity of the legitimate owner Said identily can be stored 
at tlie frusted device, at the institution, and/or a further entity accessible by the 

1 5 Institution. When said identity is stored at the institution and/or at the further 
entity, the trusted device lias to be uniquely identifiabie by the institution in 
order to otitain the Identity of the legitimate owner. Thirdly, a trusted device ttiat 
legitimates for access to an Institution allowing a personal authentication, i.e. it 
is possible to prove that the person that operates the trusted device is identical 

20 to or Is authorized by the legitimate owner. A secret like a Personal 

Identification Number (PIN) personally issued to the legitimate owner or a user 
identity — password mecinanism or personal information uniquely relating to the 
legitimate owner lil^e a signature or photo can be used for personal 
authentication when presenting the trusted device for getting access. 

26 Authorization by the legitimate owner can be achieved by providing said secret 
to a further person that enables the further person to access the institution when 
presenting the trusted device. Examples fortaisted devices allowing personal 
authentication are a credit card in combination with a signature or a GSM 
mobile phone in conrdbinafion with a PIN. 
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For lining of a trusted device, it depends on the tnj^ted device and the 
processing of oharacteristios determinable by the server for the linl^ng if 
information about the legitimate owner as explained before is provided to the 
server, tf information about the legitimate ovfvner is determinable, this 
5 Information can be used in the assodat'ng step. As a general rule, for tighter 
security requirements a higher example number of trusted device Is preferably 
used. In adcfilion, a trusted device can be s^sociated with characteristics like 
the date of Issue, ttie date of expiry, or a value associated with trusted device 
that can be considered e.g. for the linking and^or fbr granting access, 

10 

Rg. 2 shows a second embodiment of the proposed method. A person A2 that 
operates a trusted device depicted as mobile phone PP2 and a noi\-trusted 
device depicted as a computer terminal NP2 wants to access via the computer 
terndnal NP2 a service pro^dded by a server SP2 in the internet. The computer 

1 5 terminal NP2 sends a request SR for service access to the server SP2 pro^Hding 
the service in the Intemet. The server SP2 recognizes that an authentication is 
required fbr the requested service. The server SP2 can respond to the 
computer terminal NP2 with an authentication request message ARAAI asking 
fbr authentication, e.g. by asking to enter a MSISDN number. The person A2 

20 enters the KflSISDN number of the mobile phone PP2 into the computer terminal 
NP2 and sends in an authentication response message ARM2 the entered 
ly/lSiSDN number to the server SP2. The authentication response message 
ARM2 can carry also the address of the computer terrrtinai NP2 like an intemet 
Protocol (IP) address and a port number. Based on the received authentication 

25 response message ARM2, the server SP2 sends a request RA for 

authentication to the server AS2. According to the present example, the request 
RA comprises the MSISDN number of the mobile phone PP2, the IP address 
and port number of the computer terminal NP2 and an IP address and port 
nunriber of the sen/er SP2. Optionally, an identifier or a name of the sennce 

30 and/or service provider and the time the request SR for service was receh^ed at 
the server SP2 can be included into the request RA. Triggered by the request 
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RA, the server AS2 proceeds as follows: The server AS2 accepts the received 
MSISDN number as being legitimated for access to a mobile telecommunication 
system. Based on an analysis of the A/ISiSDN number the server AS2 may also 
detect that the MSiSDN number corresponds to a particular network operator. 

5 According to the present example, the server AS2 checl^ if the access 

legitintf zation according to the MSISDN number legitimates also for access to 
the sennce provided by the server SP2, e.g. according to an appropriate 
agreement made In advance or on request or by assuming an ImpiIcA 
agreement due to the fact that the sen^r SP2 sends the MSISDN number in the 

1 0 request message 51 . If personal authenficatton is required, the server AS2 may 
in addition obtain an Identity of the legitimate owner of the MSISDN number, 
e.g. name and address of the person A2 presenting the mobile phone PP2 as 
trusted device. 

15 After accepting the MSISDN number of the mobile phone PP2 and the approval 
of the assodfated access iegilimization, the server AS2 proceeds v^'th the linking 
by selecting a first and a second linking information. According to the present 
e^^mple, the server AS2 selecte and sends an Identical sequence of pictures to 
the mobile phone PP2 and to the computer terminal NP2. The linking 

20 information for the con^uter terminal NP2 is sent In a message LiAl to the 

server SP2 which further sends the linking information for the corriputer terminal 
NP2 via message UA2 to the computer terminal NP2 where the Unking 
information is presented on ttie computer screen as shown by the screen image 
DIN. The linking information for the mobile phone PP2 is sent in a message LIB, 

25 e.g. via Short Message Service (SMS) or Multimedia Messaging Service (MMS) 
or WAP (Wireless Application Protocol) push, to the mobile phone PP2. The 
linldng Infomiation is presented on the display of the mobile phone PP2 eis 
shown by the screen image DIP- The method becomes more convenient and 
more secure, if the linking infomiation presented on the mobile phone PP2 is 

30 presented in parallel with a request like 
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''Dear [Name of person]. 

You want to acoess the service [Name of service] at [Time of service request]. 
Please confirm the matching of the linking infbrmation presented on your mobile 
phone and your non-trusted device [Address] by pressing the YES button on 
5 your mobile phone follovved by entering your PIN." 

The aforementioned request text includes entries given in brackets. These 
entries like the name of the person A2, the name of the service, the time of 
service request, and an address of the non-trusted device can be induded Into 
10 the message UB and thus provided to the mobile phone PP2 for presentation if 
the server AS2 has this Information available as explained before. 

If the nnMng lnforn»tion in the form of a sequence of pictures presented on the 
display of the mobile phone PP2 and on the screen of the computer terminad 

15 NP2 Is identical and thus matches, the person A2 presses the *YE^ button on 
the mobile phone PP2 and enters his PIN for confirmation of the matching. Per 
the case that the Information that is presented by the mobile phone PP2 and the 
information presented by the computer tenhlnal NP2 do not match, a possible 
attack may be going on. In this case, the confirmation of the matching can be 

20 denied and thus the linking procedure can be terminated, e.g. by pressing "NO" 
or by entering a wrong PIN. According to ttie present example, the linking 
infbrmation matches and a matching confirmation is sent via a notching 
confirmation message MC from the mobile phone PP2 to the server AS2. 
Based on the received matching confirmation, the server AS2 links the 

25 computer terminal NP2 and the mobile phone PP2 by associating e.g. the 
address of the computer terminal NP2 with the MSIDN number of the mobile 
phone PP2 and provides the server SP2 with an authentication assertion 
message AA comprising an authentication assertion. Based on the 
authentication aissertion, the server SP2 can grant service access SA to 

30 computer-temtinal NP2 for the person A2. If available or requested, the server 
AS2 may provide personal information related to the person A2 like the name 
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and/or the address and/or a credit card number to the server SP2. The server 
SP2 can store the provided personal information in a database, e.g. for 
charging or statisticaily purposes or legal reasons. 

5 Hie embodiment of Rg. 2 uses a computer terminal as non-trusted device. 
However, the embodiments described in conjunc^on with Fig. 1a,1b, and 2 with 
a non-trusted device being for example a personal digital assistant (PDA), a 
worlcstation, a notebook, an ATM, a physical access unit lil» a door or a 
physical control device like a steering wheel. 

10 

In Rg. 3a a table is shown with examples of matching llnldng information 
presented by a trusted device as an example for a first device and a non-trusted 
device as an ei^mple for a second device. The individual examples of linldng 
information are Indicated by identifying numbers (IDs), identical sequences of 

1 5 diglte 1 a, of letters 2a, of icons 3a, of pictures 4a, and of a cond^Ination of letters 
and digits 5a are shown as examples for identical linking information. However, 
as stated earlier, matching linking information does not necessarily have to be 
identical. Examples for non-identical matching linking information are given In 
the exanvl^s 6a to 11a. Examples 6a and 7a reveal exarr^ies for successional 

20 matching linking Information for sequences of digits and letters, respectively, i.e. 
sequences staring on the trusted device are continued on the non-trusted 
device or vice versa* 8a and 9a show examples for complementary matching 
linking information where a first sequence of icons Is presented by the trusted 
device and a second sequence of icorvs identical fo the first one but with 

25 reversed color is presented by the non-trusted device. 10a is an example for a 
computational matching linking information, i.e. the linking information 
presented by the non-trusted device can be imputed by the linlgng information 
presented by the trusted device or vice versa. Example 1 1a shows a sequence 
of pictures presented by the non-trusted device. The linking information 

30 presented by the trusted device is a sequence of names matching the sequence 
of pictures in text format. An implementation according to example 11a may be 
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very useful if only one of the devices supports the presentation of pictures. It 
can be therefore advantageous to provide to ttie trusted device or to the non- 
trusted device or both a variety of formats of the linidng information from that the 
format best suited can be selected for increasing the probability for presenting 
5 the linidng infbrmation. Another example for norMdenticai matching information 
not shown in Rg. 3a is a puzzle, vvherein one or more first parts of the puzzle 
can' be presented by ttie trusted device and one or more fiirttier parts of the 
puzzle can be presented by the norv-trusted device. 

10 Comparing and recognizing of a matchlrig of graphical linking information like 
pictures, images, or icons «ih be easier for a person than of non-graphical 
linking information like digits or letters maldng the proposed method based on 
graphical linidng information more convenient but also more secure as the 
probability for an erroneous Recognition of the matching is decreased. As an 

15 example for a set of 100 Icons, a sequence of 3 randomly chosen icons as 
linking information allows for 1 ,000,000 different sequences what rrakes the 
proposed method sufndently secure on Vt\e one hand. On the other hand, a 
sequence of 3 Icons is very easy and fast to compare compared to e.g. a 
sequence of six digits, which also ailovy^ for 1 ,000,000 different sequences. 

20 

Fig. 3b is used to explain how an entering of the indication of the matching can 
be executed and how an entering of confirmation data into the trusted device as 
an example for the first device can be performed. For this reason, examples for 
matching linking information presented by the trusted device and by a non- 
25 trusted device as example for the second device are shown. The presented 
matching linidng information is supplemented by additional information 
presented fn parallel to the respecfive matching ilnlqng information on one of the 
devices. For recognizing the matching of the first linking information and the 
second linidng information, the additional information should be clearly 
30 distinguishable from the rmtching linking information, e.g. according to the 

examples Ib-lOb as explained in the following. For entering of an indication for 
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the matching andl/or the entering of confirmation data, an appropriate request 
may be presented by at least one of the devices tfiat are to be linked. The 
entering of the indication for matching and for the confirmation data can be 

! combined. 

I 5 

According to the first example in lb, the matching Unking information is given by 
a sequence of digits "1 23456" on both devices and the additional information by 
a sequence of Latin letters "ABCDEP and sequence of Greek letters VSnP^^ 
The information as presented on the trusted device is numbered and matching 

10 of the linking infomiation can be confirmed by typing In into the trusted 

device for indicating that the information numbered "ST presented by ttie trusted 
device is ttie linking Information that matches to tiie linking information 
presented by the non-trusted device. Alternatively, a pointing device like a 
mwesB can be used for "Uicldng" on the linlang information or the corresponding 

15 identifier. i.e. number '^according to the preset example. Also a vocal 
• entering is possible for indicating the matehing. 

2b shows a corresponding presentation of matching linking Information, i.e. 
"ABCDEP, and additional information. i.e. "45T69ff' and ''$rt%tz", with the 
20 additional information now being presented by ttie non-trusted device. As 
Identifiers for the matching linking information letter "A" and for the additional 
infomiation letters "B* and are used. According to this exan^le, an 
indication of the matching may be executed by entering "A" into the trusted 
device. 

25 

According to the example in lb and 2b, the entering of the indication of the 
matching can be also made by trivial means without Hirther making usage of the 
additional information presented to the person. e.g. tsy pressing "YEST. An 
additional confirmation step can request the entering of or "A" as 
I 30 confirmation data according to example lb or 2b, respectively. 
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Both examples 1 b and 2b increase the complejdty for the benefit of an increase 
of the securit/ of the method. The person that operates the trusted de\nce 
cannot just achieve the linldng of the trusted device and the non-trusted device 
just by pressing a button or by other tn'vial means. Instead, he is forced to 
5 thoroughly compare the information presented by both devices and to make ttie 
right choice for ttie entering. 

In the K)Howing examples 3b to 10b, the digit "0" represents additional 
information that can be easily distinguished from the matching linking 

10 information according to the present examples. The additional information can 
be e.g. presented separately from the linldng information by the trusted device 
accorcfing to examples 8b to 1 0b or presented separately from the linking 
Information by the non-trusted device according to the exanples 4b to 7b or. - 
comprised In the linking information as depicted according to example 3b for >.• 

15 ■ additional information comprised in the linking information by the tiusted device 
Additional Information comprised in the linking information piesented by the 
non-trusted device is also possible but not shown in FHg. 3b. 

According to the examples 3b to 10b. an indication of the matching can be 
20 made, e.g. t>y pressing the "YES" button, and than to enter confirmation data, 
i.e. the additional infonnation "0* accorcflng to the examples 3b to 10b. 

in 1 lb, Identical linking information In form of a matiiematical equation "^3^ = T 
is presented by botfi devices. The correct result "8" can be entered as 
25 confirmation data. 

Alternatively, the indication for the matching in the tramples 3b to 10b and lib 
can be combined with the entering of confirmation data e.g. t>y requesting to 
indicate the matching by entering the adcfitional infornretion, i.e. "0" and "8" for 
30 the examples 3b-1 Ob and lib, respectively. This implementation has the 
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advantage that reduced action by the operator of the trusted device is required, 
e.g. pres^ng the "YES" button can be left out. 

The above embodiment admirably achieve the objects of the invention. 
5 IHowever, it will be appreciated that departures can be made by those sidlled in 
the art without departing from the scope of the invention which is limited only by 
the claims. 
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1 . A method for linking of a first chafaoterislic of a first device (PP1 ,PP2) 
and a second characterise of a second device (NP1 ,NPZ) by a 

5 server (S1 AS2), the metiibd comprising the steps of: 

- selecting (75) a first linking infbnnation and a second linking 
iriformation, 4he first linking information mab^ing to the second 
linking information, 2 

- sending (100,150) frofn the sender (SI ,AS2) the first linking 

1 0 information to the first device (PP1 .PP2) and the second linking 

information to the seocmd device (NP1 ,NP2), 
_ presenting (200,250) by the first device (PP1 ,PP2) the first Hnking 
Information and by the second device (NP1 ,NP2) the second 

linking Information, ' 
^5 - entering (300) into the first device (PPl ,PP2) an indication of the 

matcfting of the first llfiiidrig information and the second linking 
Information, i 

- based on the enteredjindicaiion of the matching, senoDng (400) to 
the sen/er (S1.AS2) a:matchir^ confirmation for confirming the 

20 matching to the seiytei (S.1 ,AS2), 

- assodeiQng (450) the first charac^risfio and the second 
characteristic based on tlie received matching confirmation. 

2. The method according to^clalm 1 , wherein the first device (PPl ,PP2) 
25 is a trusted device and tHe first characterisfic relates to an access 

legltindzatton legitimatin^the trusted device for accessing a first 
institution. 

3. The method according ti^daim 2, wherein ttie second characteristic 
30 comprises an identifier idsintifying the second device (NPl ,NP2) and 

access to a second inslifikoh is granted to or via tiie second device 
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(NP1.NP2} based on theiassbdating (450) of the first characteristic 
relating to the access ^egitintization and the second charact^stic 
comprising the Identifier, 'j^e second institution being identical to or 
different from the fifst in^'lution. 

4. The method according td^an^'of the preceding claims, wherein a 
request for authenlicatio^triggeRs the linldng. 

5. The mettiod according tcj^anyjof the prececDng dainis, wherein the 
1 0 first iinldng infbrmaiion ahd th? second linking Information comprise 

one or more randomly g#ierated symbols. 

6. • The method according td|any!of the preceding claims, ^ ' 

first linking information i^fdeiitical to the second Unlcing infbrmation. 

15 . I ' 

7. The method according td|any"of the preceding daims, wherein the 
associating (450) is basetl orv;a verlficab'on for comedness of 
oonfirmallon data ent^dinto the first device (PI'1,PI^), 

*•* 

20 8. The method according tdfcfairh 7, wherein the entered confirmation 
data comprises at least c^e tif 

(a) a Personal identification Number, 

(b) a password, % 

(c) an indication'^for ^jcidifionai information being presented in 
25 parallel to th^!.1irst linking information or second linking 

informaUon. ihe additional information being 
distinguishable firpm the first linking Information and the 
second iinldrf^ infbrmation, and 

(d) data being computed on the base of the first linking 
30 information a^d/or. the second linking information. 

*•* 
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9. A server (SI ^S2) usablf for linking of a first characteristic of a first 
device (PP1,PP2) and asecbnd characteristic of a second device 
(NP1 ,NP2), the server (^i .A)52) comprising a receiving unit for 
r»:eivlng messages, a trinscriltting unit for sending messages, and a 

5 pro^ssing unit for proce^irig messages and information, wherein 

the processing unit is adapteid to select a first finking information and 

a second linking. informa^on»';the first linking information matching to 

the second linking infomr^tiojri^.the transmission unit is adapted to 
send the first linking infomiafion to the first device (PP1 ,PPZ) and the 

1 0 second linking information to;;the second device (NPI ,NP2), the 

receiving unit is adapted |o rec^ve a matching confirmation from the 
first device (PP1 ,PP2), Ote niatcdiing confirmation confirming to the 
processing unit ttie ma^)n^ of .ttie first flnking information presented 
• tqr the first device (PPl ,I^P2i-iand the second linking infonnation 

15 presented by the seconcSe>ribe (NPI .NP2), and the processing unit 

is adapted to execute an^^s^odjatlng (450) of the first characteristic 
and the second characteBstip^tiased on 4ie received matching 
confirmation. L:' . 

20 1 0. The server (S1 ,AS2) acc|rdii|ijgf to dalm 9, wherein the first device 

(PPl ,PP2) is a trusted d^&iceiand the first characteristic relatos to an 
access legitimization legltjmdiBrig the trusted device for accessing a 
first institution. 2 y. - 

25 11. The server (SI , AS2) acc^rdifig^^to daim 1 0. wherein the second 

characteristic comprises |n idfentifier identif^ng the second device 
and, based on the assod|tin^,c450) of the first characteristic relaflng 
to the access legitimlzatii|h eunid^'the second characteristic comprising 
the identifier, the prot^ssTng i^rSt is adapted to generate an access 

30 assertion for granting to of sntklihs second device (NP1 .NP2) access 

to a second insfitution be|hg.i(ientical or different from the first 

' I ' 
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instiiution, and the transmission, iirut is adapted to send the access 
assertion to the second d&vrce (MP1,NP2) or the second InsUtufion or 
to an entity suppoiUng the s^econd device (NP1pNP2) or the second 
institution for granting acces!s. * 

5 : ;5 / 

12. The server (SI ,ASZ) according fo any of the claims 9 to 11 , wher^n 
the recdving unit is adaptedjto receive a request for authenticajtion 
triggering the processing iunit to'e^^cute the llnldng. 

• * '{ 

10 13. The server (S1 1 AS2) according to any of the dalms 9 to 1 2, wher^n 
the processing unit Is addpt^ to select ttie first linking information 
and the second linking inforination to comprise one or more randomly 
generated symbols. . . * 

* . • ■* 

15 14. The server (SI ^S2) according to any of the dalms 9 to 1 3, wher^n 
ttie processing unit is adapted to sele^ the first llnldng Information 
being identlcai to the secohdj linking information. 

• * * •* 
.• . *'* 

1 5. The server (51 ^S2) accoitfing to any of the claims 9 to 1 4, wherein 

20 the processing unit is ad^t^id to execute the associating (450) of the 

first characteristic and the second characteristic based on a 

verification for correctness of confirmation data entered Into the first 

device (PP1,PP2). f.:! . 

• • ^, 

•* * * • 

25 1 6. A computer program usdhieilbr HnKIng of a first characteristic of a first 
device (PP1 »PP2) anci a second characteristic of a second device 
(NP1.NP2)p the computer; program being loadable into a processing 
unit of a server (SI ,AS2)/ wherein tiie computer program comprises 
code adapted to select.a firsilinklng information and a second linking 

30 Information, the first linlqnglhfofThation matching to the second llnMng 

Information, to Initialize^ a jspifjidirig of the first linking Information to the 

P17307-TPF i .:i V 2002OcH1 
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first device (PP1,PP2) arid ^sending of the second linking infomnation 
to the second device (NPi,!^P2). and to execute an associating (450) 
of the first characteristic and^the second characteristic based on a 
matching confirmation recei>|etl from the first device (PPi ,PP2), the 
matching confirmation co^hfii|ning to the computer program the 
matching of the first linking ifjformation presented by the first device 
(PPI, PP2) and. the second 4iWng information presented by the 
second device (NPI.NP^... I 

•\ 

. • . > 

. . .:• 



.'f 
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[Abstract] 

A method for linking of a first characteristic of a first device (PPl ,PP2) and a 
second characleristic of a second device (NP1 ,NP2) by a server (SI ^S2) is 
disclosed. The method comprises the steps of selecting (75) a first linking 
information and a second linking information, the first linWng InformaUon 
matching to the second linking information, sending (100.150) from the 
server (Sl ,AS2) the first linking information to the first device (PP1.PP2) and 
the second linking Information t6 the second device (NP1,NP2), presenting 
(200.250) by the first device (PP1 .PP2) the first linking inforrnation and by 
the second device (NP1,NP2) the second linking Information, entering (300) 
into the first device (PP1.PP2) an indication of the matching of the first 
finking information and the second linking Infbmnation, and based on the 
entered indication of the malchlrjg. sending (400) to the server (S1.AS2) a 
matching confirmation for confimilng the matching to the server (S1,AS2). 
and associafing (450) the first characteristic and the second characteristic 
based on the received matching- confirmation. 
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